Question: If there are multiple files in /etc/audit/rules.d, in which sequence would auditd reads the files placed in that directory? based on alphanumeric order? e.g. files with file names starting with “a” would be read before files with filen ames starting with “b”? files with filenames starting with “0” would be read before files with file names starting with “1”? Does /etc/audit/rules.d directory exists in CentOS/RHEL 5. Does audit read rules inside /etc/audit/rules.d on CentOS/RHEL 5?
– /etc/audit/rules.d/ doesn’t exists in CentOS/RHEL 5 and it doesn’t have any mechanism to read rules from this location.
– /etc/audit/rules.d directory exists in CentOS/RHEL 6 onwards. This is used by augenrules (it read rules from this location and add it to the main rule file /etc/audit/audit.rules).
– Even CentOS/RHEL 6 auditd doesn’t read rules from /etc/audit/rules.d by default. It read only if augenrules is enabled.
The parameter USE_AUGENRULES when set to “yes” enables auditd to read the rules files from the directory /etc/audit/rules.d.
# cat /etc/sysconfig/auditd | grep AUGEN USE_AUGENRULES="yes"
– If user do not want audit to read rules from the location /etc/audit/rules.d, keep augenrules disabled (which is in disabled mode by default).
– While reading file names inside /etc/audit/rules.d, It read files starting with numeric first 1,2,3…100 and then characters a,b,c….z.
– If user configure rules on both location audit.rules and rules.d and if augenrules is enabled, file audit.rules will be override by augenrules.